From the horse’s mouth

My comments

One main thrust behind the Wi-Fi Alliance’s new initiative concerning authentication, authorisation and accounting on public hotspots was to permit a wireless-broadband carrier to use Wi-Fi hotspots as a complimentary cellular technology. This is to avoid the need to buy cellular-telephony spectrum in order to increase service capacity and is increasingly necessary as the available radio spectrum becomes increasingly scarce.

Here, a cellular carrier could run their own Wi-Fi hotspot networks like what Telstra is doing or they could form a partnership with a wireless Internet service provider like “The Cloud” in the UK as a way of providing this service. They could then allow for a customer to seamlessly hand over from a 3G network to a Wi-Fi network that supports these credentials.

The way this is going to operate is to use a SIM card in a smartphone to store credentials for Wi-Fi networks. This card is typically controlled by the cellular carrier and may be only used for login credentials that continue the carrier’s partnerships.

A limitation I find with this is that the carrier could implement software locks so that the customer can’t use public networks other than those provided for by the carrier or their partnership. As well, there are other issues that haven’t been looked at properly with this goal for improved authorisation, authentication and accounting on these networks as I list below.

Venue-controlled hotspots

It can also make life difficult for customers who use hotspots provided by venue owners like hotels or cafes. Here, the login experience is typically managed by the hotspot owner and this may require information like a session ID in the case of a hotspot at a bar or cafe, or a room number for a hotel. These may apply for hotspot service where you pay the premises owner for that service or the service is part of the business’s main operation. In some free hotspots, you may have to click on a form to assent to terms and conditions of the service before you continue using the service.

As well, a user could use a hotspot run by an independent wireless hotspot operator and buy their access themselves through a Web-based user interface before using the service.

What I would like to see is support for these kind of hotspots because the user interface that is provided by most of them can become awkward for people who use handheld devices. This is typically because most of these user interfaces are designed for devices like laptops rather than handheld devices.

The improved interfaces could support “app-style” login experiences including “remember-me” login experiences where applicable. Other improvements that could be facilitated include the use of barcodes that are scanned by the phone’s camera to load “session keys” for docket-controlled hotspots or MMS direct-load support for login tokens for “SMS login token” WISPS. It could then lead to a venue-branded experience which some users may find as a “safety net” for their hotspot experience.

As well, a branded experience can be part of a “walled-garden” of sites that a person can visit free of charge or can be a sophisticated experience with such things as an online menu or the ability to order food and drink from your computing device.

Similarly, the idea of “franchising” WISP service to owners of venue-controlled hotspots hasn’t been worked out fully with this technology. Here, a person could have the rights to resell a WISP’s service under varying risk-return models and have the clients associated with that service use their hotspot in exchange for a cut of the costs paid by the clients.

Selective device-cluster creation

It is also a preferred standard to have devices in a public network isolated at lower network levels in order to prevent unwanted peer-to-peer discovery of the devices on these networks. This is typically achieved through functions like “AP isolation” or “Wireless Network isolation” and makes it appear to the devices that they are connecting directly to the Internet privately.

There are situations where a person may want to provide local connectivity between their own devices or devices owned by other users that are in their trust circle. Examples of this include LAN-based gaming over a wireless hotspot network, workgroups sharing data during a cafe meeting; one shifting data between a smartphone and a tablet computer at a coffee lounge or simply uploading pictures from a Wi-Fi-enabled camera to a 13” traveller laptop at their favourite “watering hole”.

Here, the authentication needed for this could be achieved through “same-token” login for devices with integrated Web browsers to entry of MAC addresses or WPS PIN numbers into a “cluster-creation” screen provided by the hotspot gateway. The Wi-Fi Alliance could examine the feasibility of using the new authentication methods as a way of creating selective network clusters across a device-isolated public wireless network.

Authenticating hotspots at the SSID-discovery level

The other question that has not been answered as far as I am concerned is whether there will be a system for authenticating hotspots and public networks in a similar manner to what is done when a user logs on to a banking site for example. This is to verify that the user has discovered a “safe” network before they select that SSID and begin to login to the hotspot.

The data that would be verified would be the MAC addresses of the access points as well as the gateway device’s IP address and MAC address. This can be used to verify that the user has logged in to a network that is operated by the venue that is providing the hotspot service. For a WISP like “The Cloud” or FON, this may be useful for verifying that users have logged in to the WISP’s network. In this case, this information may pertain to the locally-installed hardware for the WISP.

Here, this could be achieved through a private-key / public-key exchange setup where the successfully verified hotspots could at least be highlighted in a wireless network with a ?key” or green-light icon. If this system does also support the transmission of logo icons, the client device could also show a company logo for that hotspot host.

It can also work as a way of encouraging customers to be sure of where they are surfing the Web through. As well, a business could have a Windows 7 laptop or Blackberry smartphone that supports this kind of verification for public wireless networks to prohibit logging in to public wireless networks that don’t have this kind of verification.

The main issue with this is that independently-run cafes and bars may need to be able to have access to any certification setups at a modest price, preferably through a government business-support agency or their bank.

Conclusion

Once these issues are ironed out concerning the provision of public Wi-Fi Internet service to the hordes of users with notebooks, netbooks, smartphones and tablet computers, then they can use these services to full capability in a secure manner.